Skip to content

operator: ProvisionToken support#18718

Merged
hugoShaka merged 5 commits intomasterfrom
hugo/operator-token-support
May 19, 2023
Merged

operator: ProvisionToken support#18718
hugoShaka merged 5 commits intomasterfrom
hugo/operator-token-support

Conversation

@hugoShaka
Copy link
Copy Markdown
Contributor

@hugoShaka hugoShaka commented Nov 22, 2022
edited
Loading

Fixes: #21417

This PR adds a new TeleportProvisionToken CRD reconciled by the kubernetes operator.
This will be used when splitting auth and proxies (see RFD 0096) to create kubernetes provision tokens (see RFD 0094) for the proxies to join.

The CRD generator was not registering nested messages properly, the first commit contains the fix. (it was also swallowing errors)

Note for reviewers: the PR looks huge but you can disregard the big YAML manifests which are not really relevant. I'd love to find a way to improve readability of those PRs.

Blocked by #18659

This PR should be rebased and CRD generation ran again with the new Kubernetes provision tokens.

@github-actions github-actions Bot added the helm label Nov 22, 2022
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Nov 22, 2022

@hugoShaka - this PR is large and will require admin approval to merge. Consider breaking it up into a series smaller changes.

@github-actions github-actions Bot requested a review from mdwn November 22, 2022 21:01
marcoandredinis
marcoandredinis reviewed Nov 23, 2022
View reviewed changes
Comment thread operator/controllers/resources/provision_token_controller.go Outdated
marcoandredinis
marcoandredinis reviewed Nov 23, 2022
View reviewed changes
Comment thread operator/controllers/resources/provision_token_controller_test.go Outdated
strideynet
strideynet approved these changes Nov 23, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@strideynet strideynet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy with this once my points & those by Marco have been addressed.

Comment thread operator/controllers/resources/provision_token_controller_test.go Outdated
mdwn
mdwn approved these changes Nov 23, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@mdwn mdwn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small comment, but otherwise pending resolution of the existing feedback, LGTM.

Comment thread api/types/provisioning.go Outdated
@hugoShaka hugoShaka force-pushed the hugo/operator-token-support branch from 41595f3 to 97563e5 Compare November 29, 2022 20:19
@hugoShaka
Copy link
Copy Markdown
Contributor Author

hugoShaka commented Dec 2, 2022
edited
Loading

I discovered that tokens, unlike most resources, are forcefully given an expiry.

This happens in the tokenToItem translation:

func (s *ProvisioningService) tokenToItem(p types.ProvisionToken) (*backend.Item, error) {
	if err := p.CheckAndSetDefaults(); err != nil {
		return nil, trace.Wrap(err)
	}
	if p.Expiry().IsZero() || p.Expiry().Sub(s.Clock().Now().UTC()) < time.Second {
		p.SetExpiry(s.Clock().Now().UTC().Add(defaults.ProvisioningTokenTTL))
	}

The operator design relies on the fact resources it creates won't expire. If a token expires, it won't be reconciled immediately (because we don't watch teleport resources events, only kube ones). This might lead to a non-working token for up to 10 hours.

The PR will have to be adapted to support this, the easiest workaround would be to set expiry to a very far date, like in 1000 years.

Edit: I'll likely add an annotation or something specifying the expiry and won't reconcile stuff after the expiry.

@hugoShaka hugoShaka force-pushed the hugo/operator-token-support branch from 97563e5 to e6945d5 Compare May 19, 2023 14:45
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented May 19, 2023

@hugoShaka - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes.

@hugoShaka
Copy link
Copy Markdown
Contributor Author

hugoShaka commented May 19, 2023

I cherry-picked the changes and applied them on an up-to-date master. Thanks to #21133, we can now create expiry-less tokens in v13, which unlocks the PR. It won't be backportable to v12, but at least v13 users will benefit from the feature.

@hugoShaka hugoShaka added this pull request to the merge queue May 19, 2023
Merged via the queue into master with commit 37aa916 May 19, 2023
@hugoShaka hugoShaka deleted the hugo/operator-token-support branch May 19, 2023 16:13
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented May 19, 2023

@hugoShaka See the table below for backport results.

Branch Result
branch/v13 Create PR

@hugoShaka hugoShaka mentioned this pull request May 19, 2023
Merged
@hugoShaka hugoShaka mentioned this pull request Oct 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@strideynet strideynet strideynet approved these changes

@marcoandredinis marcoandredinis Awaiting requested review from marcoandredinis

+1 more reviewer

@mdwn mdwn mdwn approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

helm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

operator: support ProvisionToken resources

5 participants

@hugoShaka @r0mant @marcoandredinis @mdwn @strideynet